Link List

Sponsored by..

Tuesday, 16 September 2014

"Kifilwe Shakong" "Copied invoices" spam

Kifilwe Shakong is a real person who works for Cashbuild in South Africa. She is not the person sending these messages, they are forgeries. Cashbuild's systems have not been compromised in any way. As you might guess, these messages have a malicious attachment.

The attached invoices are copies. We will not be able to pay them. Please send clear invoices
______________________________________________________________________
This outbound email has been scanned by the IS Mail Control service.
For more information please visit http://www.is.co.za
______________________________________________________________________

The attached invoices are copies. We will not be able to pay them. Please send clear invoices
______________________________________________________________________
This outbound email has been scanned by the IS Mail Control service.
For more information please visit http://www.is.co.za

Attached is a file with a filename in the format SKMBT_75114091015230.zip which in turn contains a malicious executable SKMBT_75114091015230.exe which has a very low detection rate at VirusTotal of just 1/54.

The ThreatTrack report [pdf] shows that the malware attempts to phone home to the following domains and IPs which are worth blocking:
golklopro.com
94.100.95.109
31.134.29.175
176.213.10.114
176.8.72.4
176.99.191.49
78.56.92.46
195.114.159.232
46.98.234.76
46.185.88.110
46.98.122.183
46.211.198.56
195.225.147.101
176.53.209.231